@aura-stack/auth 0.6.0 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (73) hide show
  1. package/dist/@types/index.cjs +1 -0
  2. package/dist/@types/index.d.ts +2 -2
  3. package/dist/@types/index.js +1 -0
  4. package/dist/assert-DaZSf4SH.cjs +3 -0
  5. package/dist/assert-av6s0a6t.js +3 -0
  6. package/dist/client/index.cjs +1 -1
  7. package/dist/client/index.d.ts +1 -1
  8. package/dist/client/index.js +1 -1
  9. package/dist/crypto-BF4ETYC9.cjs +1 -0
  10. package/dist/crypto-D6aq4c8x.js +1 -0
  11. package/dist/env-BG1x-kSX.js +1 -0
  12. package/dist/env-BhQ2k7jj.cjs +1 -0
  13. package/dist/errors-Czt_w1t_.js +1 -0
  14. package/dist/errors-DcK2ELlk.cjs +1 -0
  15. package/dist/identity-n3aahaEr.cjs +1 -0
  16. package/dist/{index-BkpwQ0l4.d.cts → index-1ADcIVGC.d.ts} +822 -355
  17. package/dist/index.cjs +1 -1
  18. package/dist/index.d.ts +1 -1
  19. package/dist/index.js +1 -1
  20. package/dist/{logger-C59_CDMk.js → logger-BfUjjtxf.js} +1 -1
  21. package/dist/{logger-UnUhYL2V.cjs → logger-CVwkloPj.cjs} +1 -1
  22. package/dist/oauth/atlassian.d.ts +1 -1
  23. package/dist/oauth/bitbucket.d.ts +1 -1
  24. package/dist/oauth/click-up.cjs +1 -0
  25. package/dist/oauth/click-up.d.ts +2 -0
  26. package/dist/oauth/click-up.js +1 -0
  27. package/dist/oauth/discord.d.ts +1 -1
  28. package/dist/oauth/dribbble.cjs +1 -0
  29. package/dist/oauth/dribbble.d.ts +2 -0
  30. package/dist/oauth/dribbble.js +1 -0
  31. package/dist/oauth/dropbox.d.ts +1 -1
  32. package/dist/oauth/figma.d.ts +1 -1
  33. package/dist/oauth/github.d.ts +1 -1
  34. package/dist/oauth/gitlab.d.ts +1 -1
  35. package/dist/oauth/index.cjs +1 -1
  36. package/dist/oauth/index.d.ts +2 -2
  37. package/dist/oauth/index.js +1 -1
  38. package/dist/oauth/mailchimp.d.ts +1 -1
  39. package/dist/oauth/notion.cjs +1 -1
  40. package/dist/oauth/notion.d.ts +1 -1
  41. package/dist/oauth/notion.js +1 -1
  42. package/dist/oauth/pinterest.d.ts +1 -1
  43. package/dist/oauth/spotify.d.ts +1 -1
  44. package/dist/oauth/strava.d.ts +1 -1
  45. package/dist/oauth/twitch.cjs +1 -1
  46. package/dist/oauth/twitch.d.ts +1 -1
  47. package/dist/oauth/twitch.js +1 -1
  48. package/dist/oauth/x.d.ts +1 -1
  49. package/dist/shared/cookies.cjs +1 -0
  50. package/dist/shared/cookies.d.ts +1 -0
  51. package/dist/shared/cookies.js +1 -0
  52. package/dist/shared/crypto.cjs +1 -1
  53. package/dist/shared/crypto.d.ts +26 -2
  54. package/dist/shared/crypto.js +1 -1
  55. package/dist/shared/identity.cjs +1 -1
  56. package/dist/shared/identity.d.ts +2 -2
  57. package/dist/shared/identity.js +1 -1
  58. package/dist/shared/index.cjs +1 -1
  59. package/dist/shared/index.d.ts +1 -1
  60. package/dist/shared/index.js +1 -1
  61. package/package.json +28 -6
  62. package/dist/assert-B3iQSYlK.js +0 -3
  63. package/dist/assert-NJGroSJd.cjs +0 -3
  64. package/dist/crypto-Bz8nIciY.js +0 -1
  65. package/dist/crypto-CoXA5w_4.cjs +0 -1
  66. package/dist/env-bq387KyP.cjs +0 -1
  67. package/dist/env-nvh8QBNz.js +0 -1
  68. package/dist/errors-CCYPHuBO.cjs +0 -1
  69. package/dist/errors-DFWHOho6.js +0 -1
  70. package/dist/index-nqLV2t91.d.ts +0 -2279
  71. package/dist/index.d.cts +0 -2
  72. package/dist/oauth-BntNm6aE.cjs +0 -1
  73. package/dist/oauth-DmHy9VrB.js +0 -1
@@ -1,11 +1,17 @@
1
- import { ZodObject, ZodRawShape, ZodTypeAny, z } from "zod/v4";
2
- import { JWTPayload } from "@aura-stack/jose/jose";
3
- import { DecodeJWTOptions, EncodeJWTOptions, JWEHeaderParameters, JWTDecryptOptions, JWTHeaderParameters, JWTVerifyOptions, Prettify, TypedJWTPayload, TypedJWTPayload as TypedJWTPayload$1 } from "@aura-stack/jose";
4
1
  import * as _$_aura_stack_router0 from "@aura-stack/router";
5
2
  import { ClientOptions, GlobalContext } from "@aura-stack/router";
3
+ import { ZodObject, ZodRawShape, ZodTypeAny, infer as __Infer, z } from "zod/v4";
4
+ import { Type } from "arktype";
5
+ import { TObject, TProperties, TSchema, Type as Type$1 } from "typebox";
6
+ import { JWK, JWTPayload } from "@aura-stack/jose/jose";
7
+ import { DecodeJWTOptions, EncodeJWTOptions, JWEHeaderParameters, JWTDecryptOptions, JWTHeaderParameters, JWTVerifyOptions, TypedJWTPayload, TypedJWTPayload as TypedJWTPayload$1 } from "@aura-stack/jose";
6
8
  import { SerializeOptions } from "@aura-stack/router/cookie";
7
- import * as _$zod from "zod";
9
+ import * as valibot from "valibot";
10
+ import { AnySchema, BaseSchema, InferOutput, ObjectEntries, ObjectSchema } from "valibot";
11
+ import * as _$arktype_internal_variants_object_ts0 from "arktype/internal/variants/object.ts";
8
12
  import * as _$zod_v4_core0 from "zod/v4/core";
13
+ import { infer as infer$1 } from "zod/v4/core";
14
+ import * as _$zod from "zod";
9
15
 
10
16
  //#region src/schemas.d.ts
11
17
  /**
@@ -72,17 +78,6 @@ declare const createJoseInstance: <DefaultUser extends User = User>(secret?: JWT
72
78
  decodeJWT: (token: string, options?: DecodeJWTOptions) => Promise<TypedJWTPayload<DefaultUser>>;
73
79
  };
74
80
  //#endregion
75
- //#region src/shared/identity.d.ts
76
- declare const UserIdentity: z.ZodObject<{
77
- sub: z.ZodString;
78
- name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
79
- image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
80
- email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
81
- }, z.core.$strip>;
82
- type UserShape = (typeof UserIdentity)["shape"];
83
- type UserIdentityType = z.infer<typeof UserIdentity>;
84
- declare const createIdentity: <S extends EditableShape<UserShape>>(shape: S) => z.ZodObject<{ -readonly [P in keyof S]: S[P] }, z.core.$strip>;
85
- //#endregion
86
81
  //#region src/api/createApi.d.ts
87
82
  declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContext) => {
88
83
  /**
@@ -165,6 +160,43 @@ declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContex
165
160
  signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
166
161
  };
167
162
  //#endregion
163
+ //#region src/shared/identity.d.ts
164
+ declare const UserIdentity: z.ZodObject<{
165
+ sub: z.ZodString;
166
+ name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
167
+ image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
168
+ email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
169
+ }, z.core.$strip>;
170
+ declare const UserIdentityValibot: valibot.ObjectSchema<{
171
+ readonly sub: valibot.StringSchema<undefined>;
172
+ readonly name: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
173
+ readonly image: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
174
+ readonly email: valibot.OptionalSchema<valibot.NullableSchema<valibot.SchemaWithPipe<readonly [valibot.StringSchema<undefined>, valibot.EmailAction<string, undefined>]>, undefined>, undefined>;
175
+ }, undefined>;
176
+ declare const UserIdentityArkType: _$arktype_internal_variants_object_ts0.ObjectType<{
177
+ sub: string;
178
+ name?: string | null | undefined;
179
+ image?: string | null | undefined;
180
+ email?: string | null | undefined;
181
+ }, {}>;
182
+ declare const UserIdentityTypeBox: Type$1.TObject<{
183
+ sub: Type$1.TString;
184
+ name: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
185
+ image: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
186
+ email: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
187
+ }>;
188
+ type UserShape = typeof UserIdentity.shape;
189
+ type UserShapeValibot = typeof UserIdentityValibot.entries;
190
+ type UserShapeArkType = typeof UserIdentityArkType;
191
+ type UserShapeTypeBox = typeof UserIdentityTypeBox.properties;
192
+ type IsArkType<T extends Identities> = T extends EditableShapeArkType<UserShapeArkType> ? true : false;
193
+ type IsZod<T extends Identities> = T extends EditableShape<UserShape> ? true : false;
194
+ type IsValibot<T extends Identities> = T extends EditableShapeValibot<UserShapeValibot> ? true : false;
195
+ type SchemaTypes = ZodObject<any> | valibot.ObjectSchema<any, undefined> | Type<{}> | Type$1.TObject;
196
+ type Identities = EditableShape<UserShape> | EditableShapeValibot<UserShapeValibot> | EditableShapeArkType<UserShapeArkType> | EditableShapeTypebox<UserShapeTypeBox> | EditableUser;
197
+ type ReturnShapeType<T> = T extends EditableShape<UserShape> ? z.ZodObject<T> : T extends EditableShapeValibot<UserShapeValibot> ? valibot.ObjectSchema<T, undefined> : T extends EditableShapeArkType<UserShapeArkType> ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? Type$1.TObject<T> : T extends EditableUser ? z.ZodObject<T> : never;
198
+ declare const createIdentity: <S extends Identities>(shape: S) => ReturnShapeType<S>;
199
+ //#endregion
168
200
  //#region src/shared/logger.d.ts
169
201
  /**
170
202
  * Log message definitions organized by category.
@@ -475,6 +507,16 @@ declare const logMessages: {
475
507
  declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
476
508
  declare const createSyslogMessage: (options: SyslogOptions) => string;
477
509
  //#endregion
510
+ //#region src/validator/registry.d.ts
511
+ declare const createSchemaRegistry: <Identity extends SchemaTypes>(config: IdentityConfig<Identity>) => {
512
+ parse: (data?: unknown) => Promise<any>;
513
+ parseAsPartial: (data?: unknown) => Promise<any>;
514
+ parseWithJWT: (data?: unknown) => Promise<any>;
515
+ schema: any;
516
+ schemaAsPartial: any;
517
+ schemaWithJWT: any;
518
+ };
519
+ //#endregion
478
520
  //#region src/oauth/github.d.ts
479
521
  /**
480
522
  * @see [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
@@ -1044,6 +1086,73 @@ interface AtlassianProfile {
1044
1086
  */
1045
1087
  declare const atlassian: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
1046
1088
  //#endregion
1089
+ //#region src/oauth/click-up.d.ts
1090
+ /**
1091
+ * @see [Click Up - Get Authorized User](https://developer.clickup.com/reference/getauthorizeduser)
1092
+ */
1093
+ interface ClickUpProfile {
1094
+ user: {
1095
+ id: number;
1096
+ username: string;
1097
+ email: string;
1098
+ color: string;
1099
+ profilePicture: string;
1100
+ initials: string;
1101
+ week_start_day: number;
1102
+ global_font_support: boolean;
1103
+ timezone: string;
1104
+ };
1105
+ }
1106
+ /**
1107
+ * ClickUp OAuth Provider
1108
+ *
1109
+ * @see [Click Up - Create your own app](https://help.clickup.com/hc/en-us/articles/6303422883095-Create-your-own-app-with-the-ClickUp-API)
1110
+ * @see [Click Up - Authentication](https://developer.clickup.com/docs/authentication)
1111
+ * @see [Click UP - Get Access Token](https://developer.clickup.com/reference/getaccesstoken)
1112
+ * @see [Click Up - Get Authorized User](https://developer.clickup.com/reference/getauthorizeduser)
1113
+ */
1114
+ declare const clickUp: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
1115
+ //#endregion
1116
+ //#region src/oauth/dribbble.d.ts
1117
+ /**
1118
+ * @see [Dribble - User](https://developer.dribbble.com/v2/user/)
1119
+ */
1120
+ interface DribbbleDefault {
1121
+ id: number;
1122
+ name: string;
1123
+ login: string;
1124
+ html_url: string;
1125
+ avatar_url: string;
1126
+ bio: string;
1127
+ location: string;
1128
+ links?: {
1129
+ web?: string;
1130
+ twitter?: string;
1131
+ };
1132
+ created_at: string;
1133
+ }
1134
+ interface DribbbleTeams extends DribbbleDefault {
1135
+ type: "Team";
1136
+ updated_at: string;
1137
+ }
1138
+ interface DribbbleProfile extends DribbbleDefault {
1139
+ type: "User";
1140
+ /** Not documented but available in the API response */
1141
+ email: string | null;
1142
+ can_upload_shot: boolean;
1143
+ pro: boolean;
1144
+ followers_count: number;
1145
+ teams: DribbbleTeams[];
1146
+ }
1147
+ /**
1148
+ * Dribbble OAuth provider
1149
+ *
1150
+ * @see [Dribbble - Register Application](https://dribbble.com/account/applications/new)
1151
+ * @see [Dribbble - OAuth](https://developer.dribbble.com/v2/oauth/)
1152
+ * @see [Dribbble - User](https://developer.dribbble.com/v2/user/)
1153
+ */
1154
+ declare const dribbble: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
1155
+ //#endregion
1047
1156
  //#region src/oauth/index.d.ts
1048
1157
  declare const builtInOAuthProviders: {
1049
1158
  readonly github: <DefaultUser extends User = {
@@ -1130,6 +1239,18 @@ declare const builtInOAuthProviders: {
1130
1239
  image?: string | null | undefined;
1131
1240
  email?: string | null | undefined;
1132
1241
  }>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
1242
+ readonly clickUp: <DefaultUser extends User = {
1243
+ sub: string;
1244
+ name?: string | null | undefined;
1245
+ image?: string | null | undefined;
1246
+ email?: string | null | undefined;
1247
+ }>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
1248
+ readonly dribbble: <DefaultUser extends User = {
1249
+ sub: string;
1250
+ name?: string | null | undefined;
1251
+ image?: string | null | undefined;
1252
+ email?: string | null | undefined;
1253
+ }>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
1133
1254
  };
1134
1255
  /**
1135
1256
  * Constructs OAuth provider configurations from an array of provider names or configurations.
@@ -1147,6 +1268,196 @@ declare const builtInOAuthProviders: {
1147
1268
  declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any>>;
1148
1269
  type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
1149
1270
  //#endregion
1271
+ //#region src/@types/session.d.ts
1272
+ /** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
1273
+ type User = infer$1<typeof UserIdentity>;
1274
+ /**
1275
+ * Session data returned by the session endpoint.
1276
+ */
1277
+ interface Session<DefaultUser extends User = User> {
1278
+ user: DefaultUser;
1279
+ expires: string;
1280
+ }
1281
+ interface CryptoSecret {
1282
+ sign: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
1283
+ encrypt: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
1284
+ }
1285
+ interface AsymmetricKeyPairFromEnv {
1286
+ publicKey: string;
1287
+ privateKey: string;
1288
+ }
1289
+ interface AsymmetricKeyPair {
1290
+ publicKey: CryptoKey | JWK;
1291
+ privateKey: CryptoKey | JWK;
1292
+ }
1293
+ /**
1294
+ * A symmetric secret or asymmetric key pair used for JWT operations.
1295
+ *
1296
+ * - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
1297
+ * - CryptoKey: Web Crypto API key, for environments that support it
1298
+ * - CryptoKeyPair: asymmetric signing/encryption (RS256, ES256, EdDSA, RSA-OAEP, etc.)
1299
+ */
1300
+ type SecretKey = string | Uint8Array | CryptoKey | CryptoKeyPair | CryptoSecret | JWK | AsymmetricKeyPair;
1301
+ /**
1302
+ * @todo: add key rotation support for "SecretKey | CryptoKeyPair | [SecretKey | CryptoKeyPair, ...(SecretKey | CryptoKeyPair)[]]"
1303
+ */
1304
+ type JWTKey = SecretKey;
1305
+ /**
1306
+ * - "signed" → standard JWS (e.g. HS256, RS256, ES256).
1307
+ * - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
1308
+ * - "sealed" → JWS nested inside JWE (signed then encrypted).
1309
+ */
1310
+ type JWTMode = "signed" | "encrypted" | "sealed";
1311
+ /**
1312
+ * Signing algorithms for "signed" and "sealed" modes.
1313
+ * Symmetric: HS256 | HS384 | HS512
1314
+ * Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
1315
+ */
1316
+ type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
1317
+ /**
1318
+ * Key-wrapping algorithms for "encrypted" and "sealed" modes.
1319
+ * Symmetric: A128KW | A192KW | A256KW | dir (direct)
1320
+ * ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
1321
+ * RSA: RSA-OAEP | RSA-OAEP-256
1322
+ */
1323
+ type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
1324
+ /** Content-encryption algorithms for JWE. */
1325
+ type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
1326
+ /** Signed JWT mode configuration. */
1327
+ type JWTSignedMode = {
1328
+ mode: "signed";
1329
+ signingAlgorithm?: JWTSigningAlgorithm;
1330
+ };
1331
+ /** Encrypted JWT mode configuration. */
1332
+ type JWTEncryptedMode = {
1333
+ mode: "encrypted";
1334
+ keyAlgorithm?: JWTKeyAlgorithm;
1335
+ encryptionAlgorithm?: JWTEncryptionAlgorithm;
1336
+ };
1337
+ /** Signed and Encrypted JWT mode configuration. */
1338
+ type JWTSealedMode = {
1339
+ mode?: "sealed";
1340
+ signingAlgorithm?: JWTSigningAlgorithm;
1341
+ keyAlgorithm?: JWTKeyAlgorithm;
1342
+ encryptionAlgorithm?: JWTEncryptionAlgorithm;
1343
+ };
1344
+ /** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
1345
+ type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
1346
+ /** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
1347
+ type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
1348
+ type JWTConfig = Prettify<{
1349
+ /**
1350
+ * Token lifetime.
1351
+ */
1352
+ maxAge?: number;
1353
+ /**
1354
+ * JWT `iss` (issuer) claim. Set this to your app's canonical URL.
1355
+ * @example "https://auth.example.com"
1356
+ */
1357
+ issuer?: string;
1358
+ /**
1359
+ * JWT `aud` claim. Single value or array for multi-audience tokens.
1360
+ * @example ["https://api.example.com", "https://app.example.com"]
1361
+ */
1362
+ audience?: string | string[];
1363
+ /**
1364
+ * Maximum absolute session duration in seconds.
1365
+ * Required for "absolute" and "sliding" strategies.
1366
+ * Enforced via jose's maxTokenAge against the iat claim.
1367
+ */
1368
+ maxExpiration?: number;
1369
+ /**
1370
+ * Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
1371
+ */
1372
+ expirationStrategy?: JWTExpirationStrategy;
1373
+ } & JWTConfigBase>;
1374
+ /**
1375
+ * Stateless JWT strategy.
1376
+ * No database required. Tokens are self-contained and cannot be revoked
1377
+ * before they expire — keep `jwt.maxAge` short or enable refresh tokens.
1378
+ *
1379
+ * @example
1380
+ * {
1381
+ * strategy: "jwt",
1382
+ * jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
1383
+ * refreshToken: { enabled: true, maxAge: "7d" },
1384
+ * }
1385
+ */
1386
+ type StatelessStrategyConfig = {
1387
+ strategy?: "jwt";
1388
+ jwt?: JWTConfig;
1389
+ };
1390
+ /**
1391
+ * The session strategy. Determines which fields below are required.
1392
+ *
1393
+ * - "jwt": stateless. No database needed. JWTs are self-contained.
1394
+ * - "database": stateful. Every request hits the DB to validate the session.
1395
+ * - "hybrid": JWT transport + DB revocation. Best of both for most apps.
1396
+ *
1397
+ * @default "jwt"
1398
+ */
1399
+ type SessionConfig = StatelessStrategyConfig;
1400
+ /** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
1401
+ interface GetStatelessSessionReturn<DefaultUser extends User = User> {
1402
+ session: Session<DefaultUser> | null;
1403
+ headers: Headers;
1404
+ }
1405
+ /**
1406
+ * Abstraction layer for session management.
1407
+ */
1408
+ interface SessionStrategy<DefaultUser extends User = User> {
1409
+ /**
1410
+ * Read and validate the session from an incoming request.
1411
+ * Returns null if absent, invalid, or expired. Never throws on auth failure.
1412
+ */
1413
+ getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
1414
+ /**
1415
+ * Create a session after successful authentication.
1416
+ * Signs the JWT / writes the DB row / sets cookies.
1417
+ */
1418
+ createSession(session: User): Promise<string>;
1419
+ /**
1420
+ * Attempt to refresh using the refresh token cookie.
1421
+ * Returns null session + cookie-clearing response on any failure.
1422
+ */
1423
+ refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
1424
+ session: Session<DefaultUser> | null;
1425
+ headers: Headers;
1426
+ }>;
1427
+ /**
1428
+ * Revoke a session by ID.
1429
+ * JWT strategy: best-effort (clears cookies, no server state).
1430
+ * Database / hybrid: marks row inactive.
1431
+ */
1432
+ revokeSession(sessionId: string): Promise<void>;
1433
+ /**
1434
+ * Destroy the session attached to this request (logout).
1435
+ * Returns a response that clears cookies.
1436
+ */
1437
+ destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
1438
+ }
1439
+ /** Inputs for constructing a session strategy implementation for a given identity schema. */
1440
+ interface CreateSessionStrategyOptions<Identity extends Identities> {
1441
+ config?: SessionConfig;
1442
+ jose: JoseInstance<FromShapeToObject<Identity> & User>;
1443
+ cookies: () => CookieStoreConfig;
1444
+ logger?: InternalLogger;
1445
+ identity: SchemaRegistryContext;
1446
+ }
1447
+ /** Options specialized for the JWT-backed session strategy. */
1448
+ interface JWTStrategyOptions<DefaultUser extends User = User> {
1449
+ config?: StatelessStrategyConfig;
1450
+ jose: JoseInstance<DefaultUser>;
1451
+ logger?: InternalLogger;
1452
+ cookies: () => CookieStoreConfig;
1453
+ identity: SchemaRegistryContext;
1454
+ }
1455
+ /** Minimal token issue/verify surface used by session code paths. */
1456
+ type JWTManager<DefaultUser extends User = User> = {
1457
+ createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
1458
+ verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
1459
+ };
1460
+ //#endregion
1150
1461
  //#region src/@types/oauth.d.ts
1151
1462
  /** Known query parameter names supported when building an OAuth authorization URL. */
1152
1463
  type AuthorizeParams = LiteralUnion<"clientId" | "prompt" | "scope" | "responseMode" | "audience" | "loginHint" | "nonce" | "display">;
@@ -1214,7 +1525,7 @@ type OAuthProviderRecord<DefaultUser extends User = User> = Record<LiteralUnion<
1214
1525
  * Main configuration interface for Aura Auth.
1215
1526
  * This is the user-facing configuration object passed to `createAuth()`.
1216
1527
  */
1217
- interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<UserShape>> {
1528
+ type AuthConfig<Identity extends Identities> = {
1218
1529
  /**
1219
1530
  * OAuth providers available in the authentication and authorization flows. It provides a type-inference
1220
1531
  * for the OAuth providers that are supported by Aura Stack Auth; alternatively, you can provide a custom
@@ -1245,7 +1556,7 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
1245
1556
  * ]
1246
1557
  * ```
1247
1558
  */
1248
- oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, ShapeToObject<Identity>>)[];
1559
+ oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, FromShapeToObject<Identity>>)[];
1249
1560
  /**
1250
1561
  * Cookie options defines the configuration for cookies used in Aura Auth.
1251
1562
  * It includes a prefix for cookie names and flag options to determine
@@ -1269,6 +1580,27 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
1269
1580
  * Secret used to sign and verify JWT tokens for session and csrf protection.
1270
1581
  * If not provided, it will load from the environment variable `AURA_AUTH_SECRET` or `AUTH_SECRET`, but if it
1271
1582
  * doesn't exist, it will throw an error during the initialization of the Auth module.
1583
+ *
1584
+ * > It can be a string, a Uint8Array, a CryptoKey, a CryptoKeyPair, or an object containing separate keys for
1585
+ * signing and encryption. It depends on the JWT mode and algorithms you choose in the session configuration.
1586
+ * The default mode is "sealed" (signing + encryption), so if the secret is a string or Uint8Array, it will derive
1587
+ * separate keys for signing and encryption using HKDF, but if you provide a CryptoKeyPair, it will required to
1588
+ * pass separate keys for signing and encryption in the `CryptoSecret` format.
1589
+ * @example
1590
+ * import { createSecretValue } from "@aura-stack/auth/crypto"
1591
+ *
1592
+ * secret: createSecretValue(32)
1593
+ *
1594
+ * // For asymmetric keys, generate a key pair and pass the private
1595
+ * import { createKeyPair } from "@aura-stack/auth/crypto"
1596
+ *
1597
+ * const signing = await createKeyPair("RS256", { extractable: true })
1598
+ * const encryption = await createKeyPair("RSA-OAEP-256", { extractable: true })
1599
+ *
1600
+ * secret: {
1601
+ * sign: signing,
1602
+ * encrypt: encryption,
1603
+ * }
1272
1604
  */
1273
1605
  secret?: JWTKey;
1274
1606
  /**
@@ -1279,45 +1611,11 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
1279
1611
  * Base path for all authentication routes. Default is `/auth`.
1280
1612
  */
1281
1613
  basePath?: `/${string}`;
1282
- /**
1283
- * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
1284
- * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
1285
- * to determine the original client IP address and protocol.
1286
- *
1287
- * Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
1288
- * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
1289
- * inaccurate client IP logging.
1290
- *
1291
- * This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
1292
- *
1293
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
1294
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
1295
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
1296
- * @experimental
1297
- */
1298
- trustedProxyHeaders?: boolean;
1299
1614
  /**
1300
1615
  * Logger configuration for handling authentication-related logs and errors. It can be set to `true`,
1301
1616
  * `DEBUG=true`, `LOG_LEVEL=debug`, or a custom logger. It implements the syslog format.
1302
1617
  */
1303
1618
  logger?: boolean | Logger;
1304
- /**
1305
- * Defines trusted origins for your application to prevent open redirect attacks.
1306
- * URLs from the Referer header, Origin header, request URL, and redirectTo option
1307
- * are validated against this list before redirecting.
1308
- *
1309
- * - **Exact URL**: `https://example.com` matches only that origin.
1310
- * - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
1311
- * @example
1312
- * trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
1313
- *
1314
- *
1315
- * trustedOrigins: async (request) => {
1316
- * const origin = new URL(request.url).origin
1317
- * return [origin, "https://admin.example.com"]
1318
- * }
1319
- */
1320
- trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1321
1619
  /**
1322
1620
  * Defines the session management strategy for Aura Auth. It determines how sessions are created, stored, and validated.
1323
1621
  */
@@ -1344,36 +1642,131 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
1344
1642
  * }
1345
1643
  */
1346
1644
  identity?: Partial<{
1645
+ /**
1646
+ * Skip schema validation for session data, JWT payloads, and OAuth profiles.
1647
+ * This can be useful for performance optimization if you are certain that the
1648
+ * data is valid, but it can lead to security vulnerabilities if misused.
1649
+ * > ⚠️ WARNING: Use this option with caution.
1650
+ */
1347
1651
  skipValidation: boolean;
1348
- schema: ZodObject<Identity>;
1652
+ /**
1653
+ * Custom schema validation for user identity data. It supports any Zod, Arktype,
1654
+ * Valibot or Typebox schema. Use `createIdentity` helper function to create a schema
1655
+ * with the correct shape and inference.
1656
+ */
1657
+ schema: ConfigSchema<Identity>;
1658
+ /**
1659
+ * Defines how unknown keys are handled during schema validation. It can be set to:
1660
+ * - `passthrough`: Unknown keys are allowed and included in the validated data.
1661
+ * - `strict`: Unknown keys will cause validation to fail with an error.
1662
+ * - `strip`: Unknown keys are removed from the validated data.
1663
+ */
1349
1664
  unknownKeys: "passthrough" | "strict" | "strip";
1350
1665
  }>;
1351
1666
  /**
1352
1667
  * Credentials provider for username/password or similar authentication.
1353
1668
  */
1354
1669
  credentials?: CredentialsProvider<Identity>;
1355
- }
1670
+ } & TrustedProxyHeadersConfig;
1671
+ type TrustedProxyHeadersConfig = {
1672
+ /**
1673
+ * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
1674
+ * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
1675
+ * to determine the original client IP address and protocol.
1676
+ *
1677
+ * Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
1678
+ * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
1679
+ * inaccurate client IP logging.
1680
+ *
1681
+ * This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
1682
+ *
1683
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
1684
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
1685
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
1686
+ * @experimental
1687
+ */
1688
+ trustedProxyHeaders: true;
1689
+ /**
1690
+ * Defines trusted origins for your application to prevent open redirect attacks.
1691
+ * URLs from the Referer header, Origin header, request URL, and redirectTo option
1692
+ * are validated against this list before redirecting.
1693
+ *
1694
+ * - **Exact URL**: `https://example.com` matches only that origin.
1695
+ * - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
1696
+ *
1697
+ * > **⚠️ WARNING:** Ensure that the trusted origins are configured correctly to prevent open redirect vulnerabilities.
1698
+ * Only include origins that you control and trust.
1699
+ *
1700
+ * @example
1701
+ * trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
1702
+ *
1703
+ * trustedOrigins: async (request) => {
1704
+ * const origin = new URL(request.url).origin
1705
+ * return [origin, "https://admin.example.com"]
1706
+ * }
1707
+ */
1708
+ trustedOrigins: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1709
+ } | {
1710
+ /**
1711
+ * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
1712
+ * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
1713
+ * to determine the original client IP address and protocol.
1714
+ *
1715
+ * Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
1716
+ * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
1717
+ * inaccurate client IP logging.
1718
+ *
1719
+ * This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
1720
+ *
1721
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
1722
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
1723
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
1724
+ * @experimental
1725
+ */
1726
+ trustedProxyHeaders?: false;
1727
+ /**
1728
+ * Defines trusted origins for your application to prevent open redirect attacks.
1729
+ * URLs from the Referer header, Origin header, request URL, and redirectTo option
1730
+ * are validated against this list before redirecting.
1731
+ *
1732
+ * - **Exact URL**: `https://example.com` matches only that origin.
1733
+ * - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
1734
+ *
1735
+ * > **⚠️ WARNING:** Ensure that the trusted origins are configured correctly to prevent open redirect vulnerabilities.
1736
+ * Only include origins that you control and trust.
1737
+ *
1738
+ * @example
1739
+ * trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
1740
+ *
1741
+ * trustedOrigins: async (request) => {
1742
+ * const origin = new URL(request.url).origin
1743
+ * return [origin, "https://admin.example.com"]
1744
+ * }
1745
+ *
1746
+ */
1747
+ trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1748
+ };
1356
1749
  /**
1357
1750
  * Cookie type with __Secure- prefix, must be Secure.
1358
1751
  * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
1359
1752
  */
1360
1753
  type SecureCookie = {
1361
1754
  strategy: "secure";
1362
- } & Prettify$1<Omit<SerializeOptions, "secure" | "encode">>;
1755
+ } & Prettify<Omit<SerializeOptions, "secure" | "encode">>;
1363
1756
  /**
1364
1757
  * Cookie type with __Host- prefix, must be Secure, Path=/, no Domain attribute.
1365
1758
  * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
1366
1759
  */
1367
1760
  type HostCookie = {
1368
1761
  strategy: "host";
1369
- } & Prettify$1<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
1762
+ } & Prettify<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
1370
1763
  /**
1371
1764
  * Standard cookie type without security prefixes.
1372
1765
  * Can be sent over both HTTP and HTTPS connections (default in development).
1373
1766
  */
1374
1767
  type StandardCookie = {
1375
1768
  strategy?: "standard";
1376
- } & Prettify$1<Omit<SerializeOptions, "encode">>;
1769
+ } & Prettify<Omit<SerializeOptions, "encode">>;
1377
1770
  /**
1378
1771
  * Union type for cookie options based on the specified strategy.
1379
1772
  * - `secure`: Cookies are only sent over HTTPS connections
@@ -1386,10 +1779,9 @@ type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
1386
1779
  * - `sessionToken`: User session JWT
1387
1780
  * - `csrfToken`: CSRF protection token
1388
1781
  * - `state`: OAuth state parameter for CSRF protection
1389
- * - `code_verifier`: PKCE code verifier for authorization code flow
1390
- * - `redirect_uri`: OAuth callback URI
1391
- * - `redirect_to`: Post-authentication redirect path
1392
- * - `nonce`: OpenID Connect nonce parameter
1782
+ * - `codeVerifier`: PKCE code verifier for authorization code flow
1783
+ * - `redirectURI`: OAuth callback URI
1784
+ * - `redirectTo`: Post-authentication redirect path
1393
1785
  */
1394
1786
  type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI";
1395
1787
  /** Resolved cookie names and serialization attributes for each logical auth cookie. */
@@ -1402,6 +1794,10 @@ interface CookieConfig {
1402
1794
  * Prefix to be added to all cookie names. By default "aura-stack".
1403
1795
  */
1404
1796
  prefix?: string;
1797
+ /**
1798
+ * Overrides for individual cookie configurations.
1799
+ * @see {@link CookieStoreConfig} for the structure of each cookie configuration.
1800
+ */
1405
1801
  overrides?: Partial<CookieStoreConfig>;
1406
1802
  }
1407
1803
  /**
@@ -1454,8 +1850,9 @@ interface InternalLogger {
1454
1850
  * Identity validation settings used when building session strategy and OAuth profile mapping.
1455
1851
  * Controls the Zod schema and how unknown keys are handled on user objects.
1456
1852
  */
1457
- interface IdentityConfig<Schema extends ZodObject<any> = typeof UserIdentity> {
1853
+ interface IdentityConfig<Schema extends SchemaTypes = typeof UserIdentity> {
1458
1854
  schema?: Schema;
1855
+ schemaAsPartial?: Schema;
1459
1856
  skipValidation?: boolean;
1460
1857
  unknownKeys?: "passthrough" | "strict" | "strip";
1461
1858
  }
@@ -1485,14 +1882,14 @@ interface CredentialsProviderContext<T> {
1485
1882
  /**
1486
1883
  * Interface for the credentials provider.
1487
1884
  */
1488
- interface CredentialsProvider<Identity extends EditableShape<UserShape> = EditableShape<UserShape>> {
1885
+ interface CredentialsProvider<Identity extends Identities> {
1489
1886
  hash?: (password: string, salt?: string, iterations?: number) => Promise<string>;
1490
1887
  verify?: (password: string, hashedPassword: string) => Promise<boolean>;
1491
1888
  /**
1492
1889
  * Authenticates a user using credentials.
1493
1890
  * Must return a User object or the identity type if the identity schema is provided.
1494
1891
  */
1495
- authorize: (ctx: CredentialsProviderContext<CredentialsPayload>) => Promise<ShapeToObject<Identity> | null> | ShapeToObject<Identity> | null;
1892
+ authorize: (ctx: CredentialsProviderContext<CredentialsPayload>) => Promise<FromShapeToObject<Identity> | null> | FromShapeToObject<Identity> | null;
1496
1893
  }
1497
1894
  /**
1498
1895
  * Runtime context passed into auth actions and API handlers: OAuth map, cookies, JWT, session strategy, trusted origins, etc.
@@ -1510,11 +1907,12 @@ interface RouterGlobalContext<DefaultUser extends User = User> {
1510
1907
  trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1511
1908
  logger?: InternalLogger;
1512
1909
  sessionStrategy: SessionStrategy<DefaultUser>;
1513
- identity: {
1514
- unknownKeys: "passthrough" | "strict" | "strip";
1515
- schema: ZodObject<any>;
1516
- skipValidation?: boolean;
1517
- };
1910
+ identity: SchemaRegistryContext;
1911
+ }
1912
+ interface SchemaRegistryContext {
1913
+ schemaRegistry: ReturnType<typeof createSchemaRegistry>;
1914
+ skipValidation?: boolean;
1915
+ unknownKeys: "passthrough" | "strict" | "strip";
1518
1916
  }
1519
1917
  /**
1520
1918
  * Internal runtime configuration used within Aura Auth after initialization.
@@ -1525,8 +1923,17 @@ type AuthRuntimeConfig<DefaultUser extends User = User> = RouterGlobalContext<De
1525
1923
  * Public auth instance: programmatic {@link AuthAPI}, {@link JoseInstance}, and HTTP {@link AuthClient} handlers.
1526
1924
  */
1527
1925
  interface AuthInstance<DefaultUser extends User = User> {
1926
+ /**
1927
+ * Programmatic API for authentication actions (getSession, signIn, signOut, etc.) that can be used in server-side contexts or API routes.
1928
+ */
1528
1929
  api: AuthAPI<DefaultUser>;
1930
+ /**
1931
+ * JOSE helper functions for signin, encryption and verification of JWTs.
1932
+ */
1529
1933
  jose: JoseInstance<DefaultUser>;
1934
+ /**
1935
+ * HTTP handlers for mounting on a router or server.
1936
+ */
1530
1937
  handlers: {
1531
1938
  GET: (request: Request) => Response | Promise<Response>;
1532
1939
  POST: (request: Request) => Response | Promise<Response>;
@@ -1537,199 +1944,16 @@ interface AuthInstance<DefaultUser extends User = User> {
1537
1944
  /**
1538
1945
  * Extended context used inside the library with both secure and standard cookie materializations.
1539
1946
  */
1540
- type InternalContext<Identity extends EditableShape<UserShape>> = RouterGlobalContext<ShapeToObject<Identity> & User> & {
1947
+ type InternalContext<Identity extends Identities> = RouterGlobalContext<FromShapeToObject<Identity> & User> & {
1541
1948
  cookieConfig: {
1542
1949
  secure: CookieStoreConfig;
1543
1950
  standard: CookieStoreConfig;
1544
1951
  };
1545
1952
  };
1546
1953
  //#endregion
1547
- //#region src/@types/session.d.ts
1548
- /** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
1549
- type User = UserIdentityType;
1550
- /**
1551
- * Session data returned by the session endpoint.
1552
- */
1553
- interface Session<DefaultUser extends User = User> {
1554
- user: DefaultUser;
1555
- expires: string;
1556
- }
1557
- /**
1558
- * A symmetric secret or asymmetric key pair used for JWT operations.
1559
- *
1560
- * - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
1561
- * - CryptoKey: Web Crypto API key, for environments that support it
1562
- * - KeyPair: asymmetric signing (RS256, ES256, EdDSA, etc.)
1563
- */
1564
- type SecretKey = string | Uint8Array | CryptoKey;
1565
- /** Asymmetric key pair for signing or key agreement (Web Crypto `CryptoKey` pair). */
1566
- interface KeyPair {
1567
- privateKey: CryptoKey;
1568
- publicKey: CryptoKey;
1569
- }
1570
- /**
1571
- * @todo: add key rotation support for "SecretKey | KeyPair | [SecretKey | KeyPair, ...(SecretKey | KeyPair)[]]"
1572
- */
1573
- type JWTKey = SecretKey;
1574
- /**
1575
- * - "signed" → standard JWS (e.g. HS256, RS256, ES256).
1576
- * - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
1577
- * - "sealed" → JWS nested inside JWE (signed then encrypted).
1578
- */
1579
- type JWTMode = "signed" | "encrypted" | "sealed";
1580
- /**
1581
- * Signing algorithms for "signed" and "sealed" modes.
1582
- * Symmetric: HS256 | HS384 | HS512
1583
- * Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
1584
- */
1585
- type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
1586
- /**
1587
- * Key-wrapping algorithms for "encrypted" and "sealed" modes.
1588
- * Symmetric: A128KW | A192KW | A256KW | dir (direct)
1589
- * ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
1590
- * RSA: RSA-OAEP | RSA-OAEP-256
1591
- */
1592
- type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
1593
- /** Content-encryption algorithms for JWE. */
1594
- type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
1595
- /** Signed JWT mode configuration. */
1596
- type JWTSignedMode = {
1597
- mode: "signed";
1598
- signingAlgorithm?: JWTSigningAlgorithm;
1599
- };
1600
- /** Encrypted JWT mode configuration. */
1601
- type JWTEncryptedMode = {
1602
- mode: "encrypted";
1603
- keyAlgorithm?: JWTKeyAlgorithm;
1604
- encryptionAlgorithm?: JWTEncryptionAlgorithm;
1605
- };
1606
- /** Signed and Encrypted JWT mode configuration. */
1607
- type JWTSealedMode = {
1608
- mode?: "sealed";
1609
- signingAlgorithm?: JWTSigningAlgorithm;
1610
- keyAlgorithm?: JWTKeyAlgorithm;
1611
- encryptionAlgorithm?: JWTEncryptionAlgorithm;
1612
- };
1613
- /** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
1614
- type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
1615
- /** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
1616
- type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
1617
- type JWTConfig = {
1618
- /**
1619
- * Token lifetime.
1620
- */
1621
- maxAge?: number;
1622
- /**
1623
- * JWT `iss` (issuer) claim. Set this to your app's canonical URL.
1624
- * @example "https://auth.example.com"
1625
- */
1626
- issuer?: string;
1627
- /**
1628
- * JWT `aud` claim. Single value or array for multi-audience tokens.
1629
- * @example ["https://api.example.com", "https://app.example.com"]
1630
- */
1631
- audience?: string | string[];
1632
- /**
1633
- * Maximum absolute session duration in seconds.
1634
- * Required for "absolute" and "sliding" strategies.
1635
- * Enforced via jose's maxTokenAge against the iat claim.
1636
- */
1637
- maxExpiration?: number;
1638
- /**
1639
- * Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
1640
- */
1641
- expirationStrategy?: JWTExpirationStrategy;
1642
- } & JWTConfigBase;
1643
- /**
1644
- * Stateless JWT strategy.
1645
- * No database required. Tokens are self-contained and cannot be revoked
1646
- * before they expire — keep `jwt.maxAge` short or enable refresh tokens.
1647
- *
1648
- * @example
1649
- * {
1650
- * strategy: "jwt",
1651
- * jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
1652
- * refreshToken: { enabled: true, maxAge: "7d" },
1653
- * }
1654
- */
1655
- type StatelessStrategyConfig = {
1656
- strategy?: "jwt";
1657
- jwt?: JWTConfig;
1658
- };
1659
- /**
1660
- * The session strategy. Determines which fields below are required.
1661
- *
1662
- * - "jwt": stateless. No database needed. JWTs are self-contained.
1663
- * - "database": stateful. Every request hits the DB to validate the session.
1664
- * - "hybrid": JWT transport + DB revocation. Best of both for most apps.
1665
- *
1666
- * @default "jwt"
1667
- */
1668
- type SessionConfig = StatelessStrategyConfig;
1669
- /** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
1670
- interface GetStatelessSessionReturn<DefaultUser extends User = User> {
1671
- session: Session<DefaultUser> | null;
1672
- headers: Headers;
1673
- }
1674
- /**
1675
- * Abstraction layer for session management.
1676
- */
1677
- interface SessionStrategy<DefaultUser extends User = User> {
1678
- /**
1679
- * Read and validate the session from an incoming request.
1680
- * Returns null if absent, invalid, or expired. Never throws on auth failure.
1681
- */
1682
- getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
1683
- /**
1684
- * Create a session after successful authentication.
1685
- * Signs the JWT / writes the DB row / sets cookies.
1686
- */
1687
- createSession(session: User): Promise<string>;
1688
- /**
1689
- * Attempt to refresh using the refresh token cookie.
1690
- * Returns null session + cookie-clearing response on any failure.
1691
- */
1692
- refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
1693
- session: Session<DefaultUser> | null;
1694
- headers: Headers;
1695
- }>;
1696
- /**
1697
- * Revoke a session by ID.
1698
- * JWT strategy: best-effort (clears cookies, no server state).
1699
- * Database / hybrid: marks row inactive.
1700
- */
1701
- revokeSession(sessionId: string): Promise<void>;
1702
- /**
1703
- * Destroy the session attached to this request (logout).
1704
- * Returns a response that clears cookies.
1705
- */
1706
- destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
1707
- }
1708
- /** Inputs for constructing a session strategy implementation for a given identity schema. */
1709
- interface CreateSessionStrategyOptions<Identity extends EditableShape<UserShape>> {
1710
- config?: SessionConfig;
1711
- jose: JoseInstance<ShapeToObject<Identity> & User>;
1712
- cookies: () => CookieStoreConfig;
1713
- logger?: InternalLogger;
1714
- identity: IdentityConfig;
1715
- }
1716
- /** Options specialized for the JWT-backed session strategy. */
1717
- interface JWTStrategyOptions<DefaultUser extends User = User> {
1718
- config?: StatelessStrategyConfig;
1719
- jose: JoseInstance<DefaultUser>;
1720
- logger?: InternalLogger;
1721
- cookies: () => CookieStoreConfig;
1722
- identity: IdentityConfig;
1723
- }
1724
- /** Minimal token issue/verify surface used by session code paths. */
1725
- type JWTManager<DefaultUser extends User = User> = {
1726
- createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
1727
- verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
1728
- };
1729
- //#endregion
1730
1954
  //#region src/@types/utility.d.ts
1731
1955
  /** Expands intersection types into a single flat object type for readable editor hints. */
1732
- type Prettify$1<T> = { [K in keyof T]: T[K] };
1956
+ type Prettify<T> = { [K in keyof T]: T[K] };
1733
1957
  /**
1734
1958
  * A string that must be one of the literals in `T`, or any other string (`U`).
1735
1959
  * Useful for autocomplete on known keys while still allowing custom values.
@@ -1739,33 +1963,97 @@ type LiteralUnion<T extends U, U = string> = T | (U & Record<never, never>);
1739
1963
  * Transforms a Zod raw shape so nested `ZodObject` fields become editable (same structure, for config authoring).
1740
1964
  */
1741
1965
  type EditableShape<T extends ZodRawShape> = { [K in keyof T]: T[K] extends ZodObject<infer Inner extends ZodRawShape> ? ZodObject<EditableShape<Inner>> : ZodTypeAny };
1966
+ type EditableShapeZod<T extends ZodRawShape> = EditableShape<T>;
1967
+ type AnyShape = Record<string, AnySchema>;
1968
+ type EditableShapeValibot<T extends ObjectEntries> = { [K in keyof T]: T[K] extends ObjectSchema<infer Inner extends AnyShape, undefined> ? ObjectSchema<EditableShapeValibot<Inner>, undefined> : BaseSchema<any, any, any> };
1969
+ type EditableShapeTypebox<T extends TProperties> = { [K in keyof T]: T[K] extends TObject ? Wrap<EditableShapeTypebox<T[K]["properties"]>> : TSchema };
1970
+ type EditableUser = { [K in keyof User]: any };
1971
+ type ConfigSchema<T extends Identities> = IsZod<T> extends true ? ZodObject<T & ZodRawShape> : T extends EditableShapeValibot<UserShapeValibot> ? ObjectSchema<T & ObjectEntries, undefined> : IsArkType<T> extends true ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? TObject<T & TProperties> : never;
1972
+ type ValibotShapeToObject<S extends ObjectEntries> = Merge<InferOutput<ObjectSchema<S, undefined>>, User>;
1973
+ type ArktypeShapeToObject<S extends Type> = S extends Type<infer Shape> ? Wrap<Merge<Shape, User>> : never;
1974
+ type TypeboxShapeToObject<S> = Wrap<Merge<S, User>>;
1975
+ type EditableShapeArkType<T extends Type> = T extends Type<infer Shape> ? Type<{ [K in keyof Shape]: any }> : never;
1742
1976
  /** Merges type `B` over `A`, replacing overlapping keys with `B`. */
1743
1977
  type Merge<A, B> = Omit<A, keyof B> & B;
1744
1978
  /**
1745
1979
  * Infers the runtime object type from a Zod `shape` and intersects it with {@link User}
1746
1980
  * so identity fields always include the base user contract.
1747
1981
  */
1748
- type ShapeToObject<S extends ZodRawShape = ZodRawShape> = Merge<{ [K in keyof S]: z.infer<S[K]> }, User>;
1982
+ type ZodShapeToObject<S extends ZodRawShape = ZodRawShape> = Merge<__Infer<ZodObject<S>>, User>;
1983
+ type FromShapeToObject<S> = S extends ZodRawShape ? ZodShapeToObject<S> : S extends ObjectEntries ? ValibotShapeToObject<S> : S extends Type ? ArktypeShapeToObject<S> : S extends TProperties ? TypeboxShapeToObject<S> : S extends User ? S : never;
1749
1984
  /** Recursively makes every property required. */
1750
1985
  type DeepRequired<T> = { [K in keyof T]-?: T[K] extends object ? DeepRequired<T[K]> : T[K] };
1751
1986
  /** Recursively makes every property optional. */
1752
1987
  type DeepPartial<T> = { [P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P] };
1753
- /** Resolves the user identity type from an {@link AuthInstance} config, or falls back to {@link User}. */
1754
- type InferAuthIdentity<Config> = Config extends AuthInstance<infer Identity> ? Prettify$1<Identity> : User;
1755
- /** Shorthand for a Zod object’s `.shape` property. */
1756
- type InferShape<T extends ZodObject> = T["shape"];
1757
- /** Runtime user object type inferred from a Zod identity schema. */
1758
- type InferIdentity<T extends ZodObject> = ShapeToObject<InferShape<T>>;
1988
+ /** Wraps a type in an object with the same keys. */
1989
+ type Wrap<T> = T extends any ? { [K in keyof T]: T[K] } : never;
1990
+ /**
1991
+ * Infers the user type from an {@link AuthInstance} config, or falls back to {@link User}.
1992
+ * @example
1993
+ * const auth = createAuth({
1994
+ * oauth: [],
1995
+ * identity: UserIdentity.extend({
1996
+ * role: z.string().nullable().optional(),
1997
+ * username: z.string().optional(),
1998
+ * })
1999
+ * })
2000
+ *
2001
+ * type User = InferUser<typeof auth>
2002
+ */
2003
+ type InferUser<Config extends AuthInstance> = Config extends AuthInstance<infer Identity> ? Prettify<Identity> : User;
2004
+ /**
2005
+ * Infers the session type from an {@link AuthInstance} config.
2006
+ * @example
2007
+ * const auth = createAuth({
2008
+ * oauth: [],
2009
+ * identity: UserIdentity.extend({
2010
+ * role: z.string().nullable().optional(),
2011
+ * username: z.string().optional(),
2012
+ * })
2013
+ * })
2014
+ *
2015
+ * type Session = InferSession<typeof auth>
2016
+ */
2017
+ type InferSession<Config extends AuthInstance> = Prettify<Session<Wrap<InferUser<Config>>>>;
2018
+ /**
2019
+ * Shorthand for a Zod object’s `.shape` property.
2020
+ */
2021
+ type InferZodShape<T extends ZodObject> = T["shape"];
2022
+ /**
2023
+ * Infers the user type from a Zod identity schema, or falls back to {@link User}.
2024
+ * @example
2025
+ * const schema = z.object({
2026
+ * sub: z.string(),
2027
+ * role: z.string().nullable().optional(),
2028
+ * username: z.string().optional(),
2029
+ * })
2030
+ *
2031
+ * type User = UserFrom<typeof schema>
2032
+ */
2033
+ type UserFrom<T extends ZodObject> = Prettify<ZodShapeToObject<InferZodShape<T>>>;
2034
+ /**
2035
+ * Infers the session type from a Zod identity schema.
2036
+ * @example
2037
+ * const schema = z.object({
2038
+ * sub: z.string(),
2039
+ * role: z.string().nullable().optional(),
2040
+ * username: z.string().optional(),
2041
+ * })
2042
+ *
2043
+ * type Session = SessionFrom<typeof schema>
2044
+ */
2045
+ type SessionFrom<T extends ZodObject> = Wrap<Session<Wrap<UserFrom<T>>>>;
1759
2046
  /**
1760
2047
  * HTTP `Response` with `json()` typed to resolve to `Body` (defaults to `unknown`).
1761
2048
  */
1762
- type AuthResponse<Body = unknown> = Prettify$1<Omit<Response, "json"> & {
2049
+ type AuthResponse<Body = unknown> = Prettify<Omit<Response, "json"> & {
1763
2050
  json(): Promise<Body>;
1764
2051
  }>;
2052
+ type RequiredKeys<Obj extends object, Keys extends keyof Obj = keyof Obj> = Wrap<{ [K in Keys]-?: Obj[K] } & Omit<Obj, Keys>>;
1765
2053
  //#endregion
1766
2054
  //#region src/createAuth.d.ts
1767
- declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(authConfig: AuthConfig<Identity>) => {
1768
- handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"GET", "/signIn/:oauth", {
2055
+ declare const createAuthInstance: <Identity extends Identities>(authConfig: AuthConfig<Identity>) => {
2056
+ handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"/signIn/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
1769
2057
  schemas?: {
1770
2058
  params: _$zod.ZodObject<{
1771
2059
  oauth: _$zod.ZodEnum<{
@@ -1784,6 +2072,8 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1784
2072
  notion: "notion";
1785
2073
  dropbox: "dropbox";
1786
2074
  atlassian: "atlassian";
2075
+ clickUp: "clickUp";
2076
+ dribbble: "dribbble";
1787
2077
  }>;
1788
2078
  }, _$zod_v4_core0.$strip>;
1789
2079
  searchParams: _$zod.ZodObject<{
@@ -1791,17 +2081,85 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1791
2081
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
1792
2082
  }, _$zod_v4_core0.$strip>;
1793
2083
  } | undefined;
1794
- }>, _$_aura_stack_router0.RouteEndpoint<"POST", "/signIn/credentials", {
2084
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signIn/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2085
+ params: _$zod.ZodObject<{
2086
+ oauth: _$zod.ZodEnum<{
2087
+ [x: string & Record<never, never>]: string & Record<never, never>;
2088
+ github: "github";
2089
+ bitbucket: "bitbucket";
2090
+ figma: "figma";
2091
+ discord: "discord";
2092
+ gitlab: "gitlab";
2093
+ spotify: "spotify";
2094
+ x: "x";
2095
+ strava: "strava";
2096
+ mailchimp: "mailchimp";
2097
+ pinterest: "pinterest";
2098
+ twitch: "twitch";
2099
+ notion: "notion";
2100
+ dropbox: "dropbox";
2101
+ atlassian: "atlassian";
2102
+ clickUp: "clickUp";
2103
+ dribbble: "dribbble";
2104
+ }>;
2105
+ }, _$zod_v4_core0.$strip>;
2106
+ searchParams: _$zod.ZodObject<{
2107
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2108
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2109
+ }, _$zod_v4_core0.$strip>;
2110
+ }>>) => Promise<Prettify<Omit<Response, "json"> & {
2111
+ json(): Promise<{
2112
+ success: true;
2113
+ redirect: boolean;
2114
+ signInURL: string;
2115
+ }>;
2116
+ }> | Prettify<Omit<Response, "json"> & {
2117
+ json(): Promise<{
2118
+ success: false;
2119
+ redirect: false;
2120
+ signInURL: null;
2121
+ }>;
2122
+ }>>>, _$_aura_stack_router0.RouteEndpoint<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
1795
2123
  schemas?: {
1796
2124
  body: _$zod.ZodObject<{
1797
2125
  username: _$zod.ZodString;
1798
2126
  password: _$zod.ZodString;
1799
2127
  }, _$zod_v4_core0.$strip>;
1800
2128
  searchParams: _$zod.ZodObject<{
2129
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
1801
2130
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
1802
2131
  }, _$zod_v4_core0.$strip>;
1803
2132
  } | undefined;
1804
- }>, _$_aura_stack_router0.RouteEndpoint<"GET", "/callback/:oauth", {
2133
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2134
+ body: _$zod.ZodObject<{
2135
+ username: _$zod.ZodString;
2136
+ password: _$zod.ZodString;
2137
+ }, _$zod_v4_core0.$strip>;
2138
+ searchParams: _$zod.ZodObject<{
2139
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2140
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2141
+ }, _$zod_v4_core0.$strip>;
2142
+ }>>) => Promise<Prettify<Omit<Response, "json"> & {
2143
+ json(): Promise<{
2144
+ success: true;
2145
+ redirect: true;
2146
+ redirectURL: null;
2147
+ } | {
2148
+ success: true;
2149
+ redirect: false;
2150
+ redirectURL: string;
2151
+ } | {
2152
+ success: true;
2153
+ redirect: false;
2154
+ redirectURL: null;
2155
+ }>;
2156
+ }> | Prettify<Omit<Response, "json"> & {
2157
+ json(): Promise<{
2158
+ success: false;
2159
+ redirect: false;
2160
+ redirectURL: null;
2161
+ }>;
2162
+ }>>>, _$_aura_stack_router0.RouteEndpoint<"/callback/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
1805
2163
  schemas?: {
1806
2164
  params: _$zod.ZodObject<{
1807
2165
  oauth: _$zod.ZodEnum<{
@@ -1820,6 +2178,8 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1820
2178
  notion: "notion";
1821
2179
  dropbox: "dropbox";
1822
2180
  atlassian: "atlassian";
2181
+ clickUp: "clickUp";
2182
+ dribbble: "dribbble";
1823
2183
  }>;
1824
2184
  }, _$zod_v4_core0.$strip>;
1825
2185
  searchParams: _$zod.ZodObject<{
@@ -1827,30 +2187,139 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1827
2187
  state: _$zod.ZodString;
1828
2188
  }, _$zod_v4_core0.$strip>;
1829
2189
  } | undefined;
1830
- }>, _$_aura_stack_router0.RouteEndpoint<"GET", "/session", {
2190
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/callback/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2191
+ params: _$zod.ZodObject<{
2192
+ oauth: _$zod.ZodEnum<{
2193
+ [x: string & Record<never, never>]: string & Record<never, never>;
2194
+ github: "github";
2195
+ bitbucket: "bitbucket";
2196
+ figma: "figma";
2197
+ discord: "discord";
2198
+ gitlab: "gitlab";
2199
+ spotify: "spotify";
2200
+ x: "x";
2201
+ strava: "strava";
2202
+ mailchimp: "mailchimp";
2203
+ pinterest: "pinterest";
2204
+ twitch: "twitch";
2205
+ notion: "notion";
2206
+ dropbox: "dropbox";
2207
+ atlassian: "atlassian";
2208
+ clickUp: "clickUp";
2209
+ dribbble: "dribbble";
2210
+ }>;
2211
+ }, _$zod_v4_core0.$strip>;
2212
+ searchParams: _$zod.ZodObject<{
2213
+ code: _$zod.ZodString;
2214
+ state: _$zod.ZodString;
2215
+ }, _$zod_v4_core0.$strip>;
2216
+ }>>) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<"/session", "GET", {
1831
2217
  schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
1832
- }>, _$_aura_stack_router0.RouteEndpoint<"POST", "/signOut", {
2218
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/session", "GET", _$_aura_stack_router0.EndpointSchemas>>) => Promise<Prettify<Omit<Response, "json"> & {
2219
+ json(): Promise<{
2220
+ success: true;
2221
+ session: Session<{
2222
+ sub: string;
2223
+ name?: string | null | undefined;
2224
+ image?: string | null | undefined;
2225
+ email?: string | null | undefined;
2226
+ }>;
2227
+ }>;
2228
+ }> | Prettify<Omit<Response, "json"> & {
2229
+ json(): Promise<{
2230
+ success: false;
2231
+ session: null;
2232
+ }>;
2233
+ }>>>, _$_aura_stack_router0.RouteEndpoint<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
1833
2234
  schemas?: {
1834
2235
  searchParams: _$zod.ZodObject<{
1835
- token_type_hint: _$zod.ZodLiteral<"session_token">;
2236
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
1836
2237
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2238
+ token_type_hint: _$zod.ZodLiteral<"session_token">;
1837
2239
  }, _$zod_v4_core0.$strip>;
1838
2240
  } | undefined;
1839
- }>, _$_aura_stack_router0.RouteEndpoint<"GET", "/csrfToken", {
2241
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2242
+ searchParams: _$zod.ZodObject<{
2243
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2244
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2245
+ token_type_hint: _$zod.ZodLiteral<"session_token">;
2246
+ }, _$zod_v4_core0.$strip>;
2247
+ }>>) => Promise<Prettify<Omit<Response, "json"> & {
2248
+ json(): Promise<{
2249
+ success: true;
2250
+ redirect: true;
2251
+ redirectURL: null;
2252
+ } | {
2253
+ success: true;
2254
+ redirect: false;
2255
+ redirectURL: string;
2256
+ } | {
2257
+ success: true;
2258
+ redirect: false;
2259
+ redirectURL: null;
2260
+ }>;
2261
+ }> | Prettify<Omit<Response, "json"> & {
2262
+ json(): Promise<{
2263
+ success: false;
2264
+ redirect: false;
2265
+ redirectURL: null;
2266
+ }>;
2267
+ }>>>, _$_aura_stack_router0.RouteEndpoint<"/csrfToken", "GET", {
1840
2268
  schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
1841
- }>, _$_aura_stack_router0.RouteEndpoint<"PATCH", "/session", {
2269
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/csrfToken", "GET", _$_aura_stack_router0.EndpointSchemas>>) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
1842
2270
  schemas?: {
1843
- body: _$zod.ZodObject<{
1844
- user: _$zod.ZodOptional<_$zod.ZodObject<{
1845
- sub: _$zod.ZodOptional<_$zod.ZodString>;
1846
- name: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodString>>>;
1847
- image: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodString>>>;
1848
- email: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodEmail>>>;
1849
- }, _$zod_v4_core0.$strip>> | undefined;
1850
- expires: _$zod.ZodOptional<_$zod.ZodCoercedDate<unknown>>;
2271
+ body: any;
2272
+ searchParams: _$zod.ZodObject<{
2273
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2274
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
1851
2275
  }, _$zod_v4_core0.$strip>;
1852
2276
  } | undefined;
1853
- }>]>;
2277
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2278
+ body: any;
2279
+ searchParams: _$zod.ZodObject<{
2280
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2281
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2282
+ }, _$zod_v4_core0.$strip>;
2283
+ }>>) => Promise<Prettify<Omit<Response, "json"> & {
2284
+ json(): Promise<{
2285
+ success: true;
2286
+ session: Session<{
2287
+ sub: string;
2288
+ name?: string | null | undefined;
2289
+ image?: string | null | undefined;
2290
+ email?: string | null | undefined;
2291
+ }>;
2292
+ redirect: true;
2293
+ redirectURL: null;
2294
+ } | {
2295
+ success: true;
2296
+ session: Session<{
2297
+ sub: string;
2298
+ name?: string | null | undefined;
2299
+ image?: string | null | undefined;
2300
+ email?: string | null | undefined;
2301
+ }>;
2302
+ redirect: false;
2303
+ redirectURL: string;
2304
+ } | {
2305
+ success: true;
2306
+ session: Session<{
2307
+ sub: string;
2308
+ name?: string | null | undefined;
2309
+ image?: string | null | undefined;
2310
+ email?: string | null | undefined;
2311
+ }>;
2312
+ redirect: false;
2313
+ redirectURL: null;
2314
+ }>;
2315
+ }> | Prettify<Omit<Response, "json"> & {
2316
+ json(): Promise<{
2317
+ success: false;
2318
+ session: null;
2319
+ redirect: false;
2320
+ redirectURL: null;
2321
+ }>;
2322
+ }>>>]>;
1854
2323
  jose: any;
1855
2324
  api: {
1856
2325
  getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<{
@@ -1898,7 +2367,7 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1898
2367
  * }]
1899
2368
  * })
1900
2369
  */
1901
- declare const createAuth: <Identity extends EditableShape<UserShape>>(config: AuthConfig<Identity>) => AuthInstance<ShapeToObject<Identity>>;
2370
+ declare const createAuth: <Identity extends Identities = EditableShape<UserShape>>(config: AuthConfig<Identity>) => AuthInstance<FromShapeToObject<Identity>>;
1902
2371
  //#endregion
1903
2372
  //#region src/@types/errors.d.ts
1904
2373
  /** Map of field or logical keys to API validation error payloads (code + message). */
@@ -1934,7 +2403,7 @@ type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | Token
1934
2403
  * Machine-readable codes for internal auth failures (configuration, crypto, environment, etc.).
1935
2404
  * Used with {@link AuthInternalError} and logging.
1936
2405
  */
1937
- type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION" | "INVALID_URL" | "INVALID_SALT_SECRET_VALUE" | "UNTRUSTED_ORIGIN" | "INVALID_OAUTH_PROVIDER_CONFIGURATION" | "DUPLICATED_OAUTH_PROVIDER_ID" | "CREDENTIALS_PROVIDER_NOT_CONFIGURED" | "IDENTITY_VALIDATION_FAILED";
2406
+ type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION" | "INVALID_URL" | "INVALID_SALT_SECRET_VALUE" | "UNTRUSTED_ORIGIN" | "INVALID_OAUTH_PROVIDER_CONFIGURATION" | "DUPLICATED_OAUTH_PROVIDER_ID" | "CREDENTIALS_PROVIDER_NOT_CONFIGURED" | "IDENTITY_VALIDATION_FAILED" | "UPDATE_SESSION_INVALID";
1938
2407
  /**
1939
2408
  * Machine-readable codes for security-sensitive failures (CSRF, session, open redirect, OAuth state).
1940
2409
  */
@@ -2004,7 +2473,7 @@ interface APIOptionsWithRedirectTo {
2004
2473
  /**
2005
2474
  * Optional redirect strategy for server/programmatic API functions.
2006
2475
  *
2007
- * - `true`: the generated response is a redirect response.
2476
+ * - `true`: The response includes a `Location` header.
2008
2477
  * - `false`: the API returns redirect data (`signInURL` or `redirectURL`) for custom handling.
2009
2478
  *
2010
2479
  * Defaults are action-specific; see each API option type.
@@ -2126,16 +2595,32 @@ interface SignInCredentialsOptions extends OptionsWithRedirectTo {
2126
2595
  */
2127
2596
  payload: CredentialsPayload;
2128
2597
  }
2129
- /** Client-side credentials sign-in return type (redirect mode or manual redirect data). */
2130
- type SignInCredentialsReturn<Options extends SignInCredentialsOptions> = Options extends {
2131
- redirect: false;
2132
- } ? {
2598
+ type SignInCredentialsReturnData = /** redirect: true & redirectTo: string */{
2599
+ success: true;
2600
+ redirect: true;
2601
+ redirectURL: null;
2602
+ } /** redirect: false & redirectTo: string */ | {
2133
2603
  success: true;
2604
+ redirect: false;
2134
2605
  redirectURL: string;
2135
- } | {
2606
+ }
2607
+ /** redirect: false & redirectTo: null | undefined (not set) */
2608
+ /** redirect: true & redirectTo: null | undefined (not set) */
2609
+ | {
2610
+ success: true;
2611
+ redirect: false;
2612
+ redirectURL: null;
2613
+ } /** Failed credentials */ | {
2136
2614
  success: false;
2615
+ redirect: false;
2137
2616
  redirectURL: null;
2138
- } : void;
2617
+ };
2618
+ /** Client-side credentials sign-in return type (redirect mode or manual redirect data). */
2619
+ type SignInCredentialsReturn<Options extends SignInCredentialsOptions> = Options extends {
2620
+ redirect: false;
2621
+ } ? Extract<SignInCredentialsReturnData, {
2622
+ redirect: false;
2623
+ }> : void;
2139
2624
  /** Server/programmatic credentials sign-in options. */
2140
2625
  interface SignInCredentialsAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithRequest {
2141
2626
  /**
@@ -2149,83 +2634,73 @@ interface SignInCredentialsAPIOptions extends APIOptionsWithRedirectTo, APIOptio
2149
2634
  payload: CredentialsPayload;
2150
2635
  }
2151
2636
  /** Programmatic credentials sign-in result with response metadata and `toResponse()`. */
2152
- type SignInCredentialsAPIReturn = AuthActionAPIReturn<{
2153
- success: true;
2154
- redirectURL: string;
2155
- } | {
2156
- success: false;
2157
- redirectURL: null;
2158
- }>;
2637
+ type SignInCredentialsAPIReturn = AuthActionAPIReturn<SignInCredentialsReturnData>;
2159
2638
  /** Client-side sign-out options. */
2160
2639
  interface SignOutOptions extends OptionsWithRedirectTo {}
2161
- /** Client-side sign-out return type (redirect mode or manual redirect data). */
2162
- type SignOutReturn<Options extends SignOutOptions> = Options extends {
2163
- redirect: false;
2164
- } ? {
2640
+ type SignOutReturnData = /** redirect: true & redirectTo: string */{
2641
+ success: true;
2642
+ redirect: true;
2643
+ redirectURL: null;
2644
+ } /** redirect: false & redirectTo: string */ | {
2165
2645
  success: true;
2166
2646
  redirect: false;
2167
2647
  redirectURL: string;
2168
- } | {
2648
+ }
2649
+ /** redirect: false & redirectTo: null | undefined (not set) */
2650
+ /** redirect: true & redirectTo: null | undefined (not set) */
2651
+ | {
2652
+ success: true;
2653
+ redirect: false;
2654
+ redirectURL: null;
2655
+ } /** Failed */ | {
2169
2656
  success: false;
2170
2657
  redirect: false;
2171
2658
  redirectURL: null;
2172
- } : void;
2659
+ };
2660
+ /** Client-side sign-out return type (redirect mode or manual redirect data). */
2661
+ type SignOutReturn<Options extends SignOutOptions> = Options extends {
2662
+ redirect: false;
2663
+ } ? Extract<SignOutReturnData, {
2664
+ redirect: false;
2665
+ }> : void;
2173
2666
  /** Server/programmatic options for `signOut` API. */
2174
- interface SignOutAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithSkipCSRFCheck {
2175
- /**
2176
- * Required headers used to execute sign-out.
2177
- * Must include `session_token` and `csrf_token` cookies for CSRF validation.
2178
- * @example
2179
- * {
2180
- * Cookie: "session_token=abc123; csrf_token=def456"
2181
- * }
2182
- */
2183
- headers: HeadersInit;
2184
- /**
2185
- * Optional `Request` object as an alternative to manually providing `headers`.
2186
- */
2187
- request?: Request;
2188
- }
2667
+ interface SignOutAPIOptions extends RequiredKeys<APIOptionsWithRequest, "headers">, APIOptionsWithSkipCSRFCheck {}
2189
2668
  /** Programmatic sign-out result with redirect metadata and `toResponse()`. */
2190
- type SignOutAPIReturn = AuthActionAPIReturn<{
2191
- success: true;
2192
- redirect: boolean;
2193
- redirectURL: string;
2194
- } | {
2195
- success: false;
2196
- redirect: boolean;
2197
- redirectURL: null;
2198
- }>;
2669
+ type SignOutAPIReturn = AuthActionAPIReturn<SignOutReturnData>;
2199
2670
  /** Client-side `updateSession` options: partial session payload plus optional redirect behavior. */
2200
2671
  interface UpdateSessionOptions<DefaultUser extends User = User> extends OptionsWithRedirectTo {
2201
2672
  /** Partial session data to merge into the current session. */
2202
2673
  session: DeepPartial<Session<DefaultUser>>;
2203
2674
  }
2204
- /** Client-side `updateSession` return type. */
2205
- type UpdateSessionReturn<Options extends UpdateSessionOptions, DefaultUser extends User = User> = Options extends {
2675
+ type UpdateSessionReturnData<DefaultUser extends User = User> = /** redirect: true & redirectTo: string */{
2676
+ success: true;
2677
+ session: Session<DefaultUser>;
2678
+ redirect: true;
2679
+ redirectURL: null;
2680
+ } /** redirect: false & redirectTo: string */ | {
2681
+ success: true;
2682
+ session: Session<DefaultUser>;
2206
2683
  redirect: false;
2207
- } ? {
2684
+ redirectURL: string;
2685
+ } /** redirect: false & redirectTo: null | undefined (not set) */ | {
2208
2686
  success: true;
2209
2687
  session: Session<DefaultUser>;
2210
- } | {
2688
+ redirect: false;
2689
+ redirectURL: null;
2690
+ } /** Failed session update */ | {
2211
2691
  success: false;
2212
2692
  session: null;
2213
- } : void;
2693
+ redirect: false;
2694
+ redirectURL: null;
2695
+ };
2696
+ /** Client-side `updateSession` return type. */
2697
+ type UpdateSessionReturn<Options extends UpdateSessionOptions<DefaultUser>, DefaultUser extends User = User> = Options extends {
2698
+ redirect: false;
2699
+ } ? Extract<UpdateSessionReturnData<DefaultUser>, {
2700
+ redirect: false;
2701
+ }> : void;
2214
2702
  /** Server/programmatic options for `updateSession` API. */
2215
- interface UpdateSessionAPIOptions<DefaultUser extends User = User> extends APIOptionsWithRequest, APIOptionsWithSkipCSRFCheck {
2216
- /**
2217
- * Required headers used to execute session update.
2218
- * Must include `session_token` and `csrf_token` cookies for CSRF validation.
2219
- * @example
2220
- * {
2221
- * Cookie: "session_token=abc123; csrf_token=def456"
2222
- * }
2223
- */
2224
- headers: HeadersInit;
2225
- /**
2226
- * Optional `Request` object as an alternative to manually providing `headers`.
2227
- */
2228
- request?: Request;
2703
+ interface UpdateSessionAPIOptions<DefaultUser extends User = User> extends RequiredKeys<APIOptionsWithRequest, "headers">, APIOptionsWithSkipCSRFCheck {
2229
2704
  /**
2230
2705
  * Partial session payload used to update the current session.
2231
2706
  * @see Session
@@ -2240,15 +2715,7 @@ interface UpdateSessionAPIOptions<DefaultUser extends User = User> extends APIOp
2240
2715
  session: DeepPartial<Session<DefaultUser>>;
2241
2716
  }
2242
2717
  /** Programmatic session update result with redirect metadata and `toResponse()`. */
2243
- type UpdateSessionAPIReturn<DefaultUser extends User = User> = AuthActionAPIReturn<{
2244
- success: true;
2245
- session: Session<DefaultUser>;
2246
- redirectURL: string;
2247
- } | {
2248
- success: false;
2249
- session: null;
2250
- redirectURL: null;
2251
- }>;
2718
+ type UpdateSessionAPIReturn<DefaultUser extends User = User> = AuthActionAPIReturn<UpdateSessionReturnData<DefaultUser>>;
2252
2719
  //#endregion
2253
2720
  //#region src/@types/index.d.ts
2254
2721
  /**
@@ -2272,8 +2739,8 @@ type AuthClient = ReturnType<typeof createAuthInstance>["handlers"];
2272
2739
  * Options for {@link createAuthClient} (browser HTTP client). Extends the router client with an optional `baseURL`
2273
2740
  * when the client runs outside the browser (e.g. server-side fetch to your app origin).
2274
2741
  */
2275
- type AuthClientOptions = Prettify$1<Omit<ClientOptions, "baseURL"> & {
2742
+ type AuthClientOptions = Prettify<Omit<ClientOptions, "baseURL"> & {
2276
2743
  baseURL?: string;
2277
2744
  }>;
2278
2745
  //#endregion
2279
- export { JWTConfigBase as $, atlassian as $t, APIErrorMap as A, DiscordProfile as An, IdentityConfig as At, DeepPartial as B, UserIdentity as Bn, SyslogOptions as Bt, SignOutAPIReturn as C, XProfile as Cn, CookieName as Ct, UpdateSessionAPIReturn as D, spotify as Dn, CredentialsProvider as Dt, UpdateSessionAPIOptions as E, SpotifyProfile as En, CredentialsPayload as Et, ErrorType as F, BitbucketProfile as Fn, Logger as Ft, InferShape as G, OAuthProviderCredentials as Gt, EditableShape as H, UserShape as Hn, AuthorizeParams as Ht, OAuthError as I, bitbucket as In, RouterGlobalContext as It, Prettify$1 as J, BuiltInOAuthProvider as Jt, LiteralUnion as K, OAuthProviderRecord as Kt, TokenRevocationError as L, GitHubProfile as Ln, SecureCookie as Lt, AuthInternalErrorCode as M, discord as Mn, InternalLogger as Mt, AuthSecurityErrorCode as N, FigmaProfile as Nn, JoseInstance as Nt, UpdateSessionOptions as O, GitLabProfile as On, CredentialsProviderContext as Ot, AuthorizationError as P, figma as Pn, LogLevel as Pt, JWTConfig as Q, ExtendedProfile as Qt, createAuth as R, github as Rn, Severity as Rt, SignOutAPIOptions as S, strava as Sn, CookieConfig as St, SignOutReturn as T, SpotifyImage as Tn, CookieStrategyAttributes as Tt, InferAuthIdentity as U, createIdentity as Un, OAuthProvider as Ut, DeepRequired as V, UserIdentityType as Vn, TrustedOrigin as Vt, InferIdentity as W, OAuthProviderConfig as Wt, CreateSessionStrategyOptions as X, createBuiltInOAuthProviders as Xt, ShapeToObject as Y, builtInOAuthProviders as Yt, GetStatelessSessionReturn as Z, AtlassianProfile as Zt, SignInCredentialsAPIReturn as _, MailchimpProfile as _n, User as _t, OAuthEnv as a, dropbox as an, JWTManager as at, SignInOptions as b, SummaryClub as bn, AuthInstance as bt, APIOptionsWithRequest as c, NotionUser as cn, JWTSignedMode as ct, GetSessionAPIOptions as d, notion as dn, KeyPair as dt, AccountType as en, JWTEncryptedMode as et, GetSessionAPIReturn as f, TwitchProfile as fn, SecretKey as ft, SignInCredentialsAPIOptions as g, Login as gn, StatelessStrategyConfig as gt, SignInAPIReturn as h, pinterest as hn, SessionStrategy as ht, JWTStandardClaims as i, RootInfo as in, JWTKeyAlgorithm as it, AccessTokenError as j, Nameplate as jn, InternalContext as jt, UpdateSessionReturn as k, gitlab as kn, HostCookie as kt, APIOptionsWithSkipCSRFCheck as l, Owner as ln, JWTSigningAlgorithm as lt, SignInAPIOptions as m, PinterestProfile as mn, SessionConfig as mt, AuthClientOptions as n, FullTeam as nn, JWTExpirationStrategy as nt, TypedJWTPayload$1 as o, Bot as on, JWTMode as ot, OptionsWithRedirectTo as p, twitch as pn, Session as pt, Merge as q, ResponseType as qt, JWTPayloadWithToken as r, Name as rn, JWTKey as rt, APIOptionsWithRedirectTo as s, NotionProfile as sn, JWTSealedMode as st, AuthClient as t, DropboxProfile as tn, JWTEncryptionAlgorithm as tt, FunctionAPIContext as u, Person as un, JWTStrategyOptions as ut, SignInCredentialsOptions as v, mailchimp as vn, AuthAPI as vt, SignOutOptions as w, x as wn, CookieStoreConfig as wt, SignInReturn as x, SummaryGear as xn, AuthRuntimeConfig as xt, SignInCredentialsReturn as y, StravaProfile as yn, AuthConfig as yt, AuthResponse as z, createSyslogMessage as zn, StandardCookie as zt };
2746
+ export { FromShapeToObject as $, SpotifyProfile as $n, JWTEncryptionAlgorithm as $t, UpdateSessionOptions as A, Name as An, Logger as At, TokenRevocationError as B, twitch as Bn, OAuthProvider as Bt, SignOutAPIOptions as C, clickUp as Cn, UserShapeArkType as Cr, CredentialsProviderContext as Ct, SignOutReturnData as D, AccountType as Dn, InternalLogger as Dt, SignOutReturn as E, atlassian as En, createIdentity as Er, InternalContext as Et, AuthInternalErrorCode as F, NotionUser as Fn, StandardCookie as Ft, DeepPartial as G, mailchimp as Gn, AsymmetricKeyPair as Gt, ArktypeShapeToObject as H, pinterest as Hn, OAuthProviderCredentials as Ht, AuthSecurityErrorCode as I, Owner as In, SyslogOptions as It, EditableShapeArkType as J, SummaryGear as Jn, CryptoSecret as Jt, DeepRequired as K, StravaProfile as Kn, AsymmetricKeyPairFromEnv as Kt, AuthorizationError as L, Person as Ln, TrustedOrigin as Lt, UpdateSessionReturnData as M, dropbox as Mn, SchemaRegistryContext as Mt, APIErrorMap as N, Bot as Nn, SecureCookie as Nt, UpdateSessionAPIOptions as O, DropboxProfile as On, JoseInstance as Ot, AccessTokenError as P, NotionProfile as Pn, Severity as Pt, EditableUser as Q, SpotifyImage as Qn, JWTEncryptedMode as Qt, ErrorType as R, notion as Rn, TrustedProxyHeadersConfig as Rt, SignInReturn as S, ClickUpProfile as Sn, UserShape as Sr, CredentialsProvider as St, SignOutOptions as T, ExtendedProfile as Tn, UserShapeValibot as Tr, IdentityConfig as Tt, AuthResponse as U, Login as Un, OAuthProviderRecord as Ut, createAuth as V, PinterestProfile as Vn, OAuthProviderConfig as Vt, ConfigSchema as W, MailchimpProfile as Wn, ResponseType as Wt, EditableShapeValibot as X, XProfile as Xn, JWTConfig as Xt, EditableShapeTypebox as Y, strava as Yn, GetStatelessSessionReturn as Yt, EditableShapeZod as Z, x as Zn, JWTConfigBase as Zt, SignInCredentialsAPIReturn as _, createBuiltInOAuthProviders as _n, SchemaTypes as _r, CookieConfig as _t, OAuthEnv as a, JWTSealedMode as an, discord as ar, Prettify as at, SignInCredentialsReturnData as b, DribbbleTeams as bn, UserIdentityTypeBox as br, CookieStrategyAttributes as bt, APIOptionsWithRequest as c, JWTStrategyOptions as cn, BitbucketProfile as cr, TypeboxShapeToObject as ct, GetSessionAPIOptions as d, SessionConfig as dn, github as dr, Wrap as dt, JWTExpirationStrategy as en, spotify as er, InferSession as et, GetSessionAPIReturn as f, SessionStrategy as fn, createSyslogMessage as fr, ZodShapeToObject as ft, SignInCredentialsAPIOptions as g, builtInOAuthProviders as gn, IsZod as gr, AuthRuntimeConfig as gt, SignInAPIReturn as h, BuiltInOAuthProvider as hn, IsValibot as hr, AuthInstance as ht, JWTStandardClaims as i, JWTMode as in, Nameplate as ir, Merge as it, UpdateSessionReturn as j, RootInfo as jn, RouterGlobalContext as jt, UpdateSessionAPIReturn as k, FullTeam as kn, LogLevel as kt, APIOptionsWithSkipCSRFCheck as l, SecretKey as ln, bitbucket as lr, UserFrom as lt, SignInAPIOptions as m, User as mn, IsArkType as mr, AuthConfig as mt, AuthClientOptions as n, JWTKeyAlgorithm as nn, gitlab as nr, InferZodShape as nt, TypedJWTPayload$1 as o, JWTSignedMode as on, FigmaProfile as or, RequiredKeys as ot, OptionsWithRedirectTo as p, StatelessStrategyConfig as pn, Identities as pr, AuthAPI as pt, EditableShape as q, SummaryClub as qn, CreateSessionStrategyOptions as qt, JWTPayloadWithToken as r, JWTManager as rn, DiscordProfile as rr, LiteralUnion as rt, APIOptionsWithRedirectTo as s, JWTSigningAlgorithm as sn, figma as sr, SessionFrom as st, AuthClient as t, JWTKey as tn, GitLabProfile as tr, InferUser as tt, FunctionAPIContext as u, Session as un, GitHubProfile as ur, ValibotShapeToObject as ut, SignInCredentialsOptions as v, DribbbleDefault as vn, UserIdentity as vr, CookieName as vt, SignOutAPIReturn as w, AtlassianProfile as wn, UserShapeTypeBox as wr, HostCookie as wt, SignInOptions as x, dribbble as xn, UserIdentityValibot as xr, CredentialsPayload as xt, SignInCredentialsReturn as y, DribbbleProfile as yn, UserIdentityArkType as yr, CookieStoreConfig as yt, OAuthError as z, TwitchProfile as zn, AuthorizeParams as zt };